command

In the command configuration section, a command is defined that will be used by one or more active responses. There is no limit on the number of commands that may be used by an active response, however, each one must be in its own separate <command> section.

Options

name

Specifies the name of the command which is called in the active-response section.

Default value

n/a

Allowed values

Any name

use

Required

executable

Names an executable file to run. It is not necessary to provide the path.

These files are located in /var/ossec/active-response/bin directory in Linux based systems, or in C:\Program Files (x86)\ossec-agent\active-response\bin directory in Windows systems.

Default value

n/a

Allowed values

Any file name

use

Required

expect

Deprecated since version 4.2.

Specifies the lists of extracted fields that are to be passed as parameters to the command. If any of the listed fields were not declared in a certain instance, those field values would be passed as a dash (-) instead of as no value at all. The command requires finding the expected fields in the alert, otherwise, the AR will be skipped.

A good example is the firewall-block command which expects the srcip field in order to know which IP address to block. Multiple expected field names are comma separated.

Default value

n/a

Allowed values

Extracted fields: srcip, user, or filename separated by commas if there is more than one.

use

Not required

extra_args

Allows the user to customize the parameters sent to the active response script living on the agent side.

Default value

n/a

Allowed values

Any extra argument to be read by the active-response scripts.

use

Not required

Note

The content of this setting will be appended to the existent parameters being sent to the agent.

timeout_allowed

Specifies whether the command is stateful or stateless. If yes, the command is stateful, meaning it will undo its original action after the period of time specified in the Active Response.

Default value

no

Allowed values

yes, no

Sample configuration

<!-- For Unix systems -->
<command>
  <name>custom_command</name>
  <executable>custom_script</executable>
  <extra_args>arg1 arg2 arg3</extra_args>
  <timeout_allowed>yes</timeout_allowed>
</command>

<!-- For Windows systems -->
<command>
  <name>win_route-null</name>
  <executable>route-null.exe</executable>
  <timeout_allowed>yes</timeout_allowed>
</command>